From: Ansgar Burchardt Date: Sun, 21 Jul 2013 19:59:45 +0000 (+0200) Subject: Add option to specify CAs to trust for LDAP connection over TLS X-Git-Url: https://err.no/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=99475d30981c1952e61c5390cd243afff7888388;p=dak Add option to specify CAs to trust for LDAP connection over TLS An explicit option makes us not rely on ldap.conf to be setup correctly for dak's use of LDAP. --- diff --git a/config/debian-security/dak.conf b/config/debian-security/dak.conf index f6459d5c..b1f8c4b8 100644 --- a/config/debian-security/dak.conf +++ b/config/debian-security/dak.conf @@ -56,6 +56,7 @@ Import-LDAP-Fingerprints { LDAPDn "ou=users,dc=debian,dc=org"; LDAPServer "db.debian.org"; + CACertFile "/etc/ssl/certs/spi-cacert-2008.pem"; ExtraKeyrings { "/srv/keyring.debian.org/keyrings/removed-keys.pgp"; diff --git a/config/debian/dak.conf b/config/debian/dak.conf index c06cd674..2954c595 100644 --- a/config/debian/dak.conf +++ b/config/debian/dak.conf @@ -97,6 +97,7 @@ Import-LDAP-Fingerprints { LDAPDn "ou=users,dc=debian,dc=org"; LDAPServer "db.debian.org"; + CACertFile "/etc/ssl/certs/spi-cacert-2008.pem"; ExtraKeyrings { "/srv/keyring.debian.org/keyrings/removed-keys.pgp"; diff --git a/daklib/dbconn.py b/daklib/dbconn.py index 413a0fdd..a90ad102 100644 --- a/daklib/dbconn.py +++ b/daklib/dbconn.py @@ -1250,8 +1250,19 @@ class Keyring(object): LDAPDn = cnf["Import-LDAP-Fingerprints::LDAPDn"] LDAPServer = cnf["Import-LDAP-Fingerprints::LDAPServer"] + ca_cert_file = cnf.get('Import-LDAP-Fingerprints::CACertFile') l = ldap.open(LDAPServer) + + if ca_cert_file: + # Request a new TLS context. If there was already one, libldap + # would not change the TLS options (like which CAs to trust). + l.set_option(ldap.OPT_X_TLS_NEWCTX, True) + l.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_HARD) + l.set_option(ldap.OPT_X_TLS_CACERTDIR, None) + l.set_option(ldap.OPT_X_TLS_CACERTFILE, ca_cert_file) + l.start_tls_s() + l.simple_bind_s("","") Attrs = l.search_s(LDAPDn, ldap.SCOPE_ONELEVEL, "(&(keyfingerprint=*)(gidnumber=%s))" % (cnf["Import-Users-From-Passwd::ValidGID"]),